Rke: event_rate_limit option does not work as expected.

Created on 3 Apr 2020  路  4Comments  路  Source: rancher/rke

RKE version:
1.1.0
Docker version: (docker version,docker info preferred)

Operating system and kernel: (cat /etc/os-release, uname -r preferred)
RancheOS
Type/provider of hosts: (VirtualBox/Bare-metal/AWS/GCE/DO)
VMware
cluster.yml file:

    event_rate_limit:
      enabled: true
      configuration:
        apiVersion: eventratelimit.admission.k8s.io/v1alpha1
        kind: Configuration
        limits:
        - type: Server
          qps: 6000
          burst: 30000

Steps to Reproduce:
Create an rke config file including the excerpt above and then create a cluster
Results:
Th kube-apiserver don't start with the following error message :

W0403 09:53:24.972851 1 helpers.go:98] ignoring invalid key policy/v1beta1/podsecuritypolicy, individual resource enablement/disablement is not supported in policy/v1beta1, and will prevent starting in future releases
Error: failed to initialize admission: couldn't init admission plugin "EventRateLimit": Object 'Kind' is missing in '{"limits":[{"burst":30000,"qps":6000,"type":"Server"}]}'
Usage:
kube-apiserver [flags]

kinbug
Source
picture NM4
👍2

Most helpful comment

I have the same issue here, with RKE 1.1.0 and RancherOS 1.5.5.

As far as I can see, the problem is that RKE creates the file /etc/kubernetes/admission.yaml with the wrong configuration.
When you set a custom configuration in rkeConfig file like this:

 event_rate_limit:
      enabled: true
      configuration:
        apiVersion: eventratelimit.admission.k8s.io/v1alpha1
        kind: Configuration
        limits:
        - type: Server
          qps: 6000
          burst: 30000

RKE creates this admission.yaml:

apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- configuration:
    limits:
    - burst: 30000
      qps: 6000
      type: Server
  name: EventRateLimit
  path: ""

As you can see, it misses the Kind and ApiVersion parameters.
But if you do not set a custom configuration

 event_rate_limit:
      enabled: true

then RKE creates a default admission.yaml, with the correct configuration:

apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- configuration:
    apiVersion: eventratelimit.admission.k8s.io/v1alpha1
    kind: Configuration
    limits:
    - burst: 20000
      qps: 5000
      type: Server
  name: EventRateLimit
  path: ""

For now this can be a workaround, so that kube-apiserver can work properly without the need to disable EventRateLimit.
If you need to change burst or qps parameters, you could do it manually in the admission.yaml of each master node, but RKE will change it everytime you do an upgrade.

picture igorcezar on 17 Apr 2020
👍2

All 4 comments

I have the same issue here, with RKE 1.1.0 and RancherOS 1.5.5.

As far as I can see, the problem is that RKE creates the file /etc/kubernetes/admission.yaml with the wrong configuration.
When you set a custom configuration in rkeConfig file like this:

 event_rate_limit:
      enabled: true
      configuration:
        apiVersion: eventratelimit.admission.k8s.io/v1alpha1
        kind: Configuration
        limits:
        - type: Server
          qps: 6000
          burst: 30000

RKE creates this admission.yaml:

apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- configuration:
    limits:
    - burst: 30000
      qps: 6000
      type: Server
  name: EventRateLimit
  path: ""

As you can see, it misses the Kind and ApiVersion parameters.
But if you do not set a custom configuration

 event_rate_limit:
      enabled: true

then RKE creates a default admission.yaml, with the correct configuration:

apiVersion: apiserver.k8s.io/v1alpha1
kind: AdmissionConfiguration
plugins:
- configuration:
    apiVersion: eventratelimit.admission.k8s.io/v1alpha1
    kind: Configuration
    limits:
    - burst: 20000
      qps: 5000
      type: Server
  name: EventRateLimit
  path: ""

For now this can be a workaround, so that kube-apiserver can work properly without the need to disable EventRateLimit.
If you need to change burst or qps parameters, you could do it manually in the admission.yaml of each master node, but RKE will change it everytime you do an upgrade.

igorcezar picture igorcezar on 17 Apr 2020
👍2

Strange, this seems to be the case for Secrets Encryption too...

Using something like:

services:
  kube-api:
    secrets_encryption_config:
      enabled: true
      custom_config:
        apiVersion: apiserver.config.k8s.io/v1
        kind: EncryptionConfiguration
        resources:
        - resources:
          - secrets
          providers:
          - aescbc:
              keys:
              - name: k-fw5hn
                secret: RTczRjFDODMwQzAyMDVBREU4NDJBMUZFNDhCNzM5N0I=
          - identity: {}

In cluster.yaml and running with RKE through terraform outputs:

Failed to parse cluster config: error decoding data: Object 'Kind' is missing in '{"resources":[{"providers":[{"aescbc":{"keys":[{"name":"key","secret":"

teknologista picture teknologista on 22 Jul 2020

This issue/PR has been automatically marked as stale because it has not had activity (commit/comment/label) for 60 days. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 8 Oct 2020

I have this issue too. The bot should keep this alive.

maxisam picture maxisam on 16 Mar 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

randrewedwards picture randrewedwards  路  3Comments
de13 picture de13  路  3Comments
hyahm picture hyahm  路  3Comments
stieler-it picture stieler-it  路  3Comments
yasker picture yasker  路  4Comments